c9ce12bae6
(cherry picked from commit ec4b9d6705)
Vendor apps are usually not preopted, so A/B dexopt should pick
them up. update_engine is not mounting the vendor partition, so
let otapreopt_chroot do the work.
This change gives otapreopt_chroot permission to mount /vendor
into the chroot environment.
Bug: 25612095
Bug: 29498238
Change-Id: I5a77bdb78a8e478ce10f6c1d0f911a8d6686becb
21 lines
878 B
Text
21 lines
878 B
Text
# otapreopt_chroot executable
|
|
type otapreopt_chroot, domain;
|
|
type otapreopt_chroot_exec, exec_type, file_type;
|
|
|
|
# Chroot preparation and execution.
|
|
# We need to create an unshared mount namespace, and then mount /data.
|
|
allow otapreopt_chroot postinstall_file:dir { search mounton };
|
|
allow otapreopt_chroot self:capability { sys_admin sys_chroot };
|
|
|
|
# This is required to mount /vendor.
|
|
allow otapreopt_chroot block_device:dir search;
|
|
allow otapreopt_chroot labeledfs:filesystem mount;
|
|
|
|
# Allow to transition to postinstall_ota, to run otapreopt in its own sandbox.
|
|
domain_auto_trans(otapreopt_chroot, postinstall_file, postinstall_dexopt)
|
|
|
|
# Allow otapreopt to use file descriptors from update-engine. It will
|
|
# close them immediately.
|
|
allow otapreopt_chroot postinstall:fd use;
|
|
allow otapreopt_chroot update_engine:fd use;
|
|
allow otapreopt_chroot update_engine:fifo_file write;
|